CVE-2019-16935

Priority
Description
The documentation XML-RPC server in Python through 2.7.16, 3.x through
3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This
occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py
in Python 3.x. If set_server_title is called with untrusted input,
arbitrary JavaScript can be delivered to clients that visit the http URL
for this server.
Assigned-to
mdeslaur
Notes
leosilvathis bug address to the docxmlrpc test hang issue:
https://bugs.python.org/issue27614.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):released (2.7.3-0ubuntu3.15)
Ubuntu 14.04 ESM (Trusty Tahr):released (2.7.6-8ubuntu0.6+esm3)
Ubuntu 16.04 LTS (Xenial Xerus):released (2.7.12-1ubuntu0~16.04.9)
Ubuntu 18.04 LTS (Bionic Beaver):released (2.7.15-4ubuntu4~18.04.2)
Ubuntu 20.04 LTS (Focal Fossa):not-affected (2.7.17-1ubuntu5)
Ubuntu 20.10 (Groovy Gorilla):not-affected (2.7.17-1ubuntu5)
Patches:
Upstream:https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):released (3.4.3-1ubuntu1~14.04.7+esm4)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 20.10 (Groovy Gorilla):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):released (3.5.2-2ubuntu0~16.04.9)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 20.10 (Groovy Gorilla):DNE
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):released (3.6.8-1~18.04.3)
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 20.10 (Groovy Gorilla):DNE
Patches:
Upstream:https://github.com/python/cpython/commit/1698cacfb924d1df452e78d11a4bf81ae7777389
Package
Upstream:released (3.7.5~rc1-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 20.04 LTS (Focal Fossa):DNE
Ubuntu 20.10 (Groovy Gorilla):DNE
Patches:
Upstream:https://github.com/python/cpython/commit/39a0c7555530e31c6941a78da19b6a5b61170687
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 20.04 LTS (Focal Fossa):not-affected (3.8.0~rc1-1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (3.8.0~rc1-1)
Patches:
Upstream:https://github.com/python/cpython/commit/6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28
More Information

Updated: 2020-07-28 18:55:36 UTC (commit 7b6828437fde0509248708fcdb5b0f7587b85bd1)